Leveraging eBPF to enhance sandboxing of WebAssembly runtimes
Marco Abbadini, Michele Beretta, Dario Facchinetti, Gianluca Oldani, Matthew Rossi, Stefano ParaboschiIn Proc. of the 18th ACM ASIA Conference on Computer and Communications Security (ASIACCS) — Melbourne, Australia, July 10-14, 2023
In this work we propose a solution to enhance the security of the sandbox provided by Wasm runtimes when file system resources are involved via the WASI (WebAssembly System Interface).
Currently, runtimes that implement WASI allow for a poor granularity when specifying what is accessible and what is not, and moreover previous work has also found that this approach is error-prone and can lead to security issues.
Hence, in this work we have replaced the security checks in hostcall wrappers with eBPF programs, enabling the user to specify fine-grained per-module policies. This paper shows that our approach has limited overhead and it's viable.
@inproceedings{enhance-wasm-sandbox,
author = {Marco Abbadini and Michele Beretta and Dario
Facchinetti and Gianluca Oldani and Matthew Rossi and
Stefano Paraboschi},
booktitle = {Proceeding of the 18th ACM ASIA Conference
on Computer and Communications Security
(ACM ASIACCS 2023)},
title = {Leveraging eBPF to enhance sandboxing of
WebAssembly runtimes},
year = {2023},
}